FormBook – a data stealer that is being distributed as a MaaS

Firstly the virus established connection to the CnC server
After this, a malicious executable file, in this analysis’s case pretending to be a .png is being dropped or overwritten and executed.
Then, FormBook proceeds to steal the personal data and change the autorun value in the registry.
Also, the virus loads DLL from Mozilla Firefox creates files in the user directory, and starts CMD.EXE to set up persistence and later begin process injection
Finally, injected Firefox.exe is executed for logging keystrokes, stealing clipboard data, and extracting authentication information from browser HTTP sessions.

According to FormBook analysis, malware is usually distributed via email campaigns that utilized a wide array of infecting mechanisms and can contain a number of various file attachments. Among the most commonly observed attachments are either PDFs, DOC or EXE, or ZIP, RAR, ACE, and ISO files.

Campaigns in which the virus is distributed through files with PDF extensions are known to utilize shipping-related themes and usually include a download link that points at the malicious code instead of the actual virus. DOC and EXE campaigns utilize macros to install and run the virus.
Often, the virus is retrieved as a .PDF file in such a case. Finally, archive campaigns are considered to be the most common attack vector for this virus and usually revolve around a business-related theme, such as a payment order. In the case of this attack vector, attachments either contain a link to the FormBook stealer EXE file or install and run the virus on victims’ PCs directly.

After downloading the malicious file the only thing needed to start the contamination is for the file to be opened. In a case when Microsoft Office file (doc, xls, rtf) is used as an infection source, after it is opened the malware exploits the CVE-2017-11882 vulnerability, thus Microsoft Office Equation Editor proceeds to download a malicious executable file and run it.

After infecting the victim’s PC, the virus copies and renames itself into a directory that differs based on the privileges of the user.
If an admin account is used, the virus installs itself in either %ProgramFiles% or %CommonProgramFiles%.
On the other hand, if the privileges are not elevated, then the virus will copy itself into %TEMP% or %APPDATA.

Also, Formbook trojan changes the autorun value in the registry depending on is it was running with normal or elevated privileges. Next, the malware copies itself into a directory it proceeds to check if it’s being run on a virtual machine or analyzed, evaluating the best anti-evasion option that can be utilized in a particular situation.
Meanwhile, the virus will try to evaluate the USERNAME environment variable to find out if it’s launched in simulation, while also checking for the presence of debuggers.
It should be noted that the malware uses particularly clever techniques while performing an analysis, for example, all shared strings such as command server names are decoded only briefly if they are absolutely required, which makes FormBook highly elusive. In the next step, the virus uses the same injection method to an active explorer.exe process which is only employed as a non-permanent staging ground.

The virus occasionally performs injections into web browser processes and explorer.exe. After injecting into the process, the virus chooses a random application from a static list.
Then, the virus proceeds to run the chosen application in suspended mode and copy itself in the address space of the suspended process, thus mimicking a genuine Microsoft process.
Next, the virus exits the original process which leaves FormBook’s dead code in explorer.exe as a result. From this stage, new FormBook processes can inject targeted applications like web browser processes, which in the case of this particular ANY.RUN simulation is Firefox.

Depending on the objective process, the virus can establish various function hooks. Being run from inside the context of an already generated process, the virus starts to go through every currently active process, trying to identify targeted programs. As soon as a target is found, FormBook will inject itself into it and install a particular set of API hooks, that are based on the target program. The data is then saved in files in the %APPDATA% directory until it is sent to the C&C server. Pay attention to this function to detect malware.